Use Case: Control Web Access

Use Case: Control Web Access

When using URL filtering to control user website
access, there may be instances where granular control is required
for a given website. In this use case, a URL filtering profile is
applied to the security policy that allows web access for your users
and the social-networking URL category is set to block,
but the allow list in the URL profile is configured to allow the
social networking site Facebook. To further control Facebook, the
company policy also states that only marketing has full access to
Facebook and all other users within the company can only read Facebook
posts and cannot use any other Facebook applications, such as email,
posting, chat, and file sharing. To accomplish this requirement,
App-ID must be used to provide granular control over Facebook.

The
first Security policy rule will allow marketing to access the Facebook
website as well as all Facebook applications. Because this allow
rule will also allow access to the Internet, threat prevention profiles
are applied to the rule, so traffic that matches the policy will
be scanned for threats. This is important because the allow rule
is terminal and will not continue to check other rules if there
is a traffic match.

Confirm that URL filtering is licensed.

Select DeviceLicenses and confirm that a
valid date appears for the URL filtering database that will used.
This will either be PAN-DB or BrightCloud.

Modify the new URL filtering profile and
in the Category list scroll to social-networking and
in the Action column click on allow and
change the action to block.

In the Allow List, enter facebook.com,
press enter to start a new line and then type *.facebook.com.
Both of these formats are required, so all URL variants a user may
use will be identified, such as facebook.com, www.facebook.com,
and https://facebook.com.

Click OK to save the profile.

Apply the new URL filtering profile to the security policy
rule that allows web access from the user network to the Internet.

Select PoliciesSecurity and click on the policy
rule that allows web access.

On the Actions tab, select
the URL profile you just created from the URL Filtering drop-down.

Click OK to save.

Create the security policy rule that will allow marketing
access the Facebook website and all Facebook applications.

This rule must precede other rules because:

It
is a specific rule. More specific rules must precede other rules.

Allow rule will terminate when a traffic match occurs.

Select PoliciesSecurity and click Add.

Enter a Name and optionally
a Description and Tag(s).

On the Source tab add the zone
where the users are connected.

On the User tab in the Source
User section click Add.

Select the directory group that contains your marketing users.

On the Destination tab, select
the zone that is connected to the Internet.

On the Applications tab, click Add and
add the facebook App-ID signature.

On the Actions tab, add the
default profiles for Antivirus, Vulnerability
Protection, and Anti-Spyware.

Click OK to save the security
profile.

The facebook App-ID signature used in this
policy rule encompasses all Facebook applications, such as facebook-base,
facebook-chat, and facebook-mail, so this is the only App-ID signature
required in this rule.

With this rule in place, when a marketing
employee attempts to access the Facebook website or any Facebook
application, the rule matches based on the user being part of the
marketing group. For traffic from any user outside of marketing,
the rule will be skipped because there would not be a traffic match
and rule processing would continue.

Configure the security policy to block all other users
from using any Facebook applications other than simple web browsing.
The easiest way to do this is to clone the marketing allow policy
and then modify it.

From PoliciesSecurity click the marketing
Facebook allow policy you created earlier to highlight it and then
click the Clone icon.

Enter a Name and optionally
enter a Description and Tag(‘s).

On the User tab highlight the
marketing group and delete it and in the drop-down select any.

On the Applications tab, click
the facebook App-ID signature and delete it.

Click Add and add the following
App-ID signatures:

facebook-apps

facebook-chat

facebook-file-sharing

facebook-mail

facebook-posting

facebook-social-plugin

On the Actions tab in the Action
Setting section, select Deny.
The profile settings should already be correct because this rule
was cloned.

Click OK to save the security
profile.

Ensure that this new deny rule is listed after the
marketing allow rule, to ensure that rule processing occurs in the
correct order to allow marketing users and then to deny/limit all other
users.

Click Commit to save the configuration.

With these security policy rules in place, any user who
is part of the marketing group will have full access to all Facebook
applications and any user that is not part of the marketing group
will only have read-only access to the Facebook website and will
not be able to use Facebook applications such as post, chat, email,
and file sharing.